Add directive MellonSubjectConfirmationDataAddressCheck

MellonSubjectConfirmationDataAddressCheck allows to block client address
checking as given in IdP assertion in the SubjectConfirmationData node,
it can be necessary when client and IdP or SP are in a NAT-ed network or
when the SP is behind a reverse proxy.

git-svn-id: https://modmellon.googlecode.com/svn/trunk@152 a716ebb1-153a-0410-b759-cfb97c6a1b53

1 files changed, 2 insertions, 1 deletions

diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c
index e1d4c3b..abbdab0 100644
--- a/auth_mellon_handler.c
+++ b/auth_mellon_handler.c
@@ -1150,6 +1150,7 @@ static int am_validate_subject(request_rec *r, LassoSaml2Assertion *assertion,
     apr_time_t t;
     LassoSaml2SubjectConfirmation *sc;
     LassoSaml2SubjectConfirmationData *scd;
+    am_dir_cfg_rec *cfg = am_get_dir_cfg(r);
 
     if (assertion->Subject == NULL) {
         /* No Subject to validate. */
@@ -1226,7 +1227,7 @@ static int am_validate_subject(request_rec *r, LassoSaml2Assertion *assertion,
         }
     }
 
-    if (scd->Address) {
+    if (scd->Address && CFG_VALUE(cfg, subject_confirmation_data_address_check)) {
         if (strcasecmp(scd->Address, r->connection->remote_ip)) {
             ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
                           "Wrong Address in SubjectConfirmationData."